/** * @fileoverview Secret detection type definitions * @module @nahisaho/musubix-security/types/secret * @trace REQ-SEC-SECRET-001, REQ-SEC-SECRET-002 */ import type { SourceLocation, Severity } from './vulnerability.js'; /** * Secret type classification * @trace REQ-SEC-SECRET-001 */ export type SecretType = 'api-key' | 'aws-access-key' | 'aws-secret-key' | 'azure-connection-string' | 'gcp-service-account' | 'github-token' | 'gitlab-token' | 'npm-token' | 'private-key' | 'ssh-key' | 'database-url' | 'jwt-secret' | 'oauth-secret' | 'password' | 'encryption-key' | 'slack-webhook' | 'stripe-key' | 'twilio-key' | 'sendgrid-key' | 'custom'; /** * Secret context (where it was found) */ export type SecretContext = 'source-code' | 'config-file' | 'environment' | 'comment' | 'string-literal' | 'template-literal' | 'object-property' | 'array-element'; /** * Detected secret * @trace REQ-SEC-SECRET-001 */ export interface Secret { /** Unique secret ID (e.g., "SEC-2026-001") */ id: string; /** Secret type */ type: SecretType; /** Source code location */ location: SourceLocation; /** Masked value (first 4 and last 4 chars visible) */ maskedValue: string; /** Full value hash (SHA-256) for deduplication */ valueHash: string; /** Variable/key name if identifiable */ keyName?: string; /** Context where secret was found */ context: SecretContext; /** Detection confidence (0.0 - 1.0) */ confidence: number; /** Whether this appears to be a test/example value */ isTestValue: boolean; /** Pattern ID that detected this secret */ patternId: string; /** Detection timestamp */ detectedAt: Date; /** Severity based on secret type */ severity: Severity; } /** * Secret detection pattern * @trace REQ-SEC-SECRET-002 */ export interface SecretPattern { /** Unique pattern ID */ id: string; /** Pattern name */ name: string; /** Secret type this pattern detects */ type: SecretType; /** Regex pattern to match */ regex: RegExp; /** Optional key name patterns (for key=value pairs) */ keyPatterns?: RegExp[]; /** Severity when matched */ severity: Severity; /** Patterns that indicate test/example values */ testValuePatterns?: RegExp[]; /** Additional validation function name */ validator?: string; /** Pattern description */ description: string; /** Whether pattern is enabled by default */ enabled: boolean; /** False positive rate (for tuning) */ falsePositiveRate?: number; } /** * Built-in secret patterns */ export declare const BUILTIN_SECRET_PATTERNS: Omit[]; /** * Secret scan options */ export interface SecretScanOptions { /** Custom patterns to use */ customPatterns?: SecretPattern[]; /** Built-in patterns to disable */ disablePatterns?: string[]; /** File patterns to exclude */ excludePatterns?: string[]; /** Ignore test/example values */ ignoreTestValues?: boolean; /** Maximum file size in bytes */ maxFileSize?: number; /** Verify secrets (check if they're valid/active) */ verify?: boolean; /** Entropy threshold for generic detection */ entropyThreshold?: number; } /** * Secret scan result * @trace REQ-SEC-SECRET-001 */ export interface SecretScanResult { /** Detected secrets */ secrets: Secret[]; /** Number of files scanned */ scannedFiles: number; /** Number of files skipped */ skippedFiles: number; /** Scan duration in milliseconds */ duration: number; /** Scan timestamp */ timestamp: Date; /** Scan options used */ options: SecretScanOptions; /** Summary by type */ summary: { byType: Partial>; bySeverity: { critical: number; high: number; medium: number; low: number; }; total: number; testValues: number; }; } /** * Secret verification result */ export interface SecretVerification { /** Secret ID */ secretId: string; /** Whether the secret is valid/active */ isValid: boolean; /** Verification method used */ method: 'api-call' | 'format-check' | 'entropy' | 'none'; /** Additional info from verification */ info?: { /** For API keys: associated account/org */ account?: string; /** For API keys: permissions */ permissions?: string[]; /** Expiration if known */ expiresAt?: Date; }; /** Verification timestamp */ verifiedAt: Date; /** Error if verification failed */ error?: string; } //# sourceMappingURL=secret.d.ts.map